US9900327B2 - Method for detecting an attack in a computer network - Google Patents

Method for detecting an attack in a computer network Download PDF

Info

Publication number
US9900327B2
US9900327B2 US14/801,913 US201514801913A US9900327B2 US 9900327 B2 US9900327 B2 US 9900327B2 US 201514801913 A US201514801913 A US 201514801913A US 9900327 B2 US9900327 B2 US 9900327B2
Authority
US
United States
Prior art keywords
computer network
warning messages
anomaly
type
computers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/801,913
Other languages
English (en)
Other versions
US20160021128A1 (en
Inventor
Mathias KLOTH
Michael WESTPHALEN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Deutsche Telekom AG
Original Assignee
Deutsche Telekom AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deutsche Telekom AG filed Critical Deutsche Telekom AG
Assigned to DEUTSCHE TELEKOM AG reassignment DEUTSCHE TELEKOM AG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WESTPHALEN, MICHAEL, Kloth, Mathias
Publication of US20160021128A1 publication Critical patent/US20160021128A1/en
Application granted granted Critical
Publication of US9900327B2 publication Critical patent/US9900327B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Definitions

  • the present invention relates to a method and to an analysis system for detecting an attack in a computer network.
  • the present invention provides a method for detecting an attack in a computer network comprising a plurality of computers.
  • the method includes: receiving a plurality of warning messages from the computers, the warning messages being based on different types of anomalies in the computer network; comparing a number of warning messages from the plurality of received warning messages with a predetermined event threshold, the number of warning messages being based on a single type of anomaly in the computer network; and outputting an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • FIG. 1 is a schematic illustration of an embodiment of a classification 100 of warning messages into different types of anomalies
  • FIG. 2 is a schematic illustration of an embodiment of an analysis system 200 for detecting an attack on a computer network
  • FIG. 3 is a schematic illustration of a further embodiment of an analysis system 300 for detecting an attack on a computer network
  • FIG. 4 is a schematic illustration of a scenario 400 of an attack on an Internet Web page 411 of a computer network 410 , an analysis system 200 , 300 in accordance with an embodiment detecting the attack;
  • FIG. 5 is a schematic illustration of a scenario 500 of a virus attack on a group of networked computers of a company's internal computer network 510 , an analysis system 200 , 300 in accordance with an embodiment detecting the attack;
  • FIG. 6 is a schematic illustration of a method 600 for detecting an attack on a computer network in accordance with an embodiment.
  • the present invention provides for detecting an attack in a computer network.
  • SIEM system is a term for software and product services which combine security information management (SIM) with security event management (SEM). SIEM technology provides real-time analysis of security alarms, which may be generated by network hardware and network applications. SIEM may be sold in the form of software, applications or related services, and may also be used to record security-related data and generate reports for compliance applications.
  • SIM security information management
  • SEM security event management
  • Command and control servers are centralised machines or computer servers capable of sending commands and obtaining responses from machines or computers which are part of a bot network.
  • Attackers who want to initiate a DDoS (distributed denial of service) attack can, at any time, send special commands comprising instructions to attack a particular target computer to the C2 server of their bot network, and every infected machine which is communicating with the contacted C2 server will accordingly initiate a coordinated attack on the target computer.
  • DDoS distributed denial of service
  • the methods and systems set out in the following may be used to protect a computer network from attacks from bot networks, in particular from DDoS attacks, spamming attacks, sniffing attacks, phishing attacks, malware propagation, keylogging, installation of undesirable software, identity theft, manipulation of the computer network.
  • Information technology is an umbrella term for information and data processing and the hardware and software required therefor.
  • the information technology of a company comprises all technical devices for generating, processing and passing on information.
  • One aspect of the invention relates to a method for detecting an attack in a computer network comprising a plurality of computers, comprising the following steps: receiving a plurality of warning messages from the computers, the warning messages being based on different types of anomalies in the computer network; comparing a number of warning messages from the plurality of received warning messages with a predetermined event threshold, the number of warning messages being based on a single type of anomaly in the computer network; and outputting an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • An advantage of a method of this type is that the method can rapidly and reliably trigger an alarm signal in the event of an imminent attack on the computer network.
  • the computers in the computer network always generate a large number of warning messages, for example in the event of a non-functioning software update, when the processor is overloaded, when a software update has not yet been carried out, when a password is entered incorrectly, when Internet access is temporarily unavailable, when it is not possible to access particular data etc.
  • These warning messages are due to particular anomalies in the computer network, which occur more or less frequently during operation and generally require interaction by the user to eliminate them.
  • Non-critical or slight anomalies in the computer system such as a software update which has not been carried out or overloading of the processor, occur very frequently and are easy to eliminate.
  • critical anomalies such as unexpected failure of particular components of the system or inability to access rarely used system resources, only occur very rarely, and therefore so do the relevant warning messages.
  • the method detects a possible or imminent attack on the computer network or computer system on the basis of these critical anomalies in the network. For this purpose, it is possible to assign the number of occurring warning messages to the possible anomalies in the computer network and count them. If the number of warning messages based on the same type of anomaly in the computer network falls below an event threshold, the user of the computer network can be warned, by the triggering of an alarm, that a possible attack is imminent or has already taken place.
  • the method comprises receiving a plurality of warning messages in a predetermined time interval.
  • the method comprises classifying the plurality of warning messages by the type of anomaly indicated by a respective warning message.
  • the method comprises determining the type of anomaly indicated by a warning message on the basis of the content of the warning message.
  • the type of anomaly can easily be determined, for example by querying a particular data field or flag within the warning message, which may for example be in the form of a data packet comprising a header and a payload. If the anomaly can be determined on the basis of the content of the warning message, no further information is required to determine it, and this makes the method simple and reliable.
  • the method comprises counting the received warning messages which are classified as the same type in the predetermined time interval, so as to determine the number, and outputting the alarm signal if the number of warning messages counted in the predetermined time interval which are classified as the same type falls below the event threshold.
  • the method is very simple to carry out, for example using a switch, a plurality of counters and a timer or clock.
  • the switch can supply them to a respective counter, which counts the number of warning messages supplied thereto. Once a particular time indicated by the timer has elapsed, the counter values can be read. Once one of the read counter values has fallen below the event threshold, an alarm can be triggered.
  • the method can thus be implemented using simple logic circuits, for example on an IC or a chip.
  • the method comprises determining the probability of the presence of an attack on the computer network on the basis of the number of warning messages which fall below the event threshold.
  • the alarm can be graded using the probability value.
  • the alarm may be triggered even at a low probability of an attack, the probability value signalling the severity of the attack.
  • a low probability value may be indicated as a green alarm light, a medium probability value by a yellow alarm light and a high probability value by a red alarm light.
  • the probability value the user obtains more information about the nature or severity of the possible or imminent attack.
  • the method comprises determining the probability value for the presence of an attack on the computer network, further on the basis of at least one of the following predetermined parameters: blacklists, whitelists, thresholds, event correlations, and definition of threat potentials of individual user groups of the computer network.
  • the method comprises determining the probability value for the presence of an attack on the computer network, further on the basis of a number of visitors to the computer network, in particular a number of visitors to a Web page of the computer network.
  • the method comprises determining the probability value for the presence of an attack on the computer network, further on the basis of a frequency of rarely executed processes in the computer network.
  • a computer network which is in the normal state generally operates using the same processes. Rarely executed processes may thus, in a simple manner, provide an indication of an anomaly and therefore a possible threat.
  • the method comprises determining the probability value for the presence of an attack on the computer network, further on the basis of a frequency of programs which are being executed on a predetermined group of the plurality of computers in the computer network, in particular on the basis of a frequency of programs which have only been executed on the predetermined group of computers since a predetermined time.
  • the method comprises using one or more of the following systems on at least one of the plurality of computers to generate the warning messages: virus scanner, proxy server, IDS (intrusion detection system), firewall, operating system, log management system, security information and event management system.
  • IDS intrusion detection system
  • firewall operating system
  • log management system security information and event management system.
  • the advantage of a method of this type is that the stated systems can be used to determine various characteristics of the system and pass them on by way of the warning messages. By analysing a large volume of protocol data, it is possible for the method to detect a peculiarity or anomaly earlier than is possible by considering the current network indicators.
  • the analysis can be carried out by various analysis methods, for example by artificial intelligence methods or using neural networks, and provides reliable analysis results, which can be prepared in the form of events.
  • the analysis can delimit the large volume of data in the computer network to the relevant aspects or provide a number of relevant events which can subsequently be further restricted.
  • the method comprises adjusting the event threshold on the basis of the number of warning messages which fall below the event threshold.
  • the indicator can thus be adjusted flexibly to varying environmental influences, for example additional software or hardware components in the computer network.
  • the method comprises adaptive adjustment of the event threshold as a function of at least one of the following events: user feedback, changes in the network architecture of the computer network, changes in the number of computers in the computer network.
  • a method of this type has the advantage that it can be flexibly adjusted to a changed structure and that the knowledge of the user can also influence the decision-making.
  • An aspect of the invention relates to an analysis system for detecting an attack in a computer network comprising a plurality of computers, comprising: a receiving module configured to receive a plurality of warning messages from the computers, the warning messages being based on different types of anomalies in the computer network; a comparison module configured to compare a number of warning messages from the plurality of received warning messages with a predetermined event threshold, the number of warning messages being based on a single type of anomaly in the computer network; and an output module configured to output an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • An advantage of an analysis system of this type is that the system can rapidly and reliably trigger an alarm signal in the event of an imminent attack on the computer network.
  • the analysis system can reliably detect a possible or imminent attack on the computer network or computer system on the basis of critical anomalies in the network which are indicated by the warning messages.
  • the system may assign the number of occurring warning messages to the possible anomalies in the computer network and count them. If the number of a particular anomaly is large, in other words exceeds a particular threshold, a frequently occurring anomaly in the computer network, which is therefore to be classified as non-critical, is to be assumed.
  • the output module can output an alarm signal to warn the user of the computer network that a possible attack is imminent or has already taken place.
  • the individual modules can be implemented flexibly on different software or hardware components, for example on components within the computer network or on external components outside the computer network.
  • the analysis system comprises a classification module configured to classify the plurality of warning messages by the type of anomaly indicated by a respective warning message.
  • the advantage of the classification module is that it can rapidly filter out the relevant warning messages which signal a critical anomaly in the computer network from the large number of incoming warning messages.
  • the analysis system comprises an adjustment module configured to adjust the event threshold on the basis of the number of warning messages which fall below the event threshold.
  • the adjustment module can adjust the event threshold on the basis of findings about the computer network, for example in an adaptive manner.
  • the adjustment may for example take place as a function of the structure and the individual components of the network.
  • the triggering of the alarm signal can thus be flexibly adjusted to varying environmental influences, for example additional software or hardware components in the computer network.
  • FIG. 1 is a schematic illustration of an embodiment of a classification 100 of warning messages into different types of anomalies.
  • warning messages 102 carrying different types or natures of warnings are received from computers.
  • the total volume 110 or the total fraction or the total number of warning messages contain different types of warnings which are based on different anomalies in a computer network.
  • An anomaly in the computer network means an irregularity or peculiarity in the computer network or a pattern deviating from the norm, for example as a result of a fault. An anomaly can thus be thought of as a state of the computer differing from what is expected.
  • FIG. 1 shows the classification of the warning messages into a first type 111 of anomaly, a second type 112 of anomaly, a third type 113 of anomaly and a fourth type 114 of anomaly.
  • any other number of types may occur.
  • warning messages of the first type 111 of anomaly occur most frequently, then warning messages of the second type 112 of anomaly, then warning messages of the third type 113 of anomaly, and warning messages of the fourth type 114 of anomaly occur the most rarely.
  • the computer system From the number of warning messages of the respective type, it can be decided whether the computer system is in a critical state, in other words whether an attack on the computer system is imminent or has already taken place. If the number of warning messages of a type of anomaly, in this case the fourth type 114 , based on a particular time period, falls below a particular threshold, also known as an event threshold, there is a critical state and an alarm signal 108 is triggered.
  • a particular threshold also known as an event threshold
  • the methods and analysis systems described in the following may be based on a classification as described in FIG. 1 .
  • FIG. 2 is a schematic illustration of an embodiment of an analysis system 200 for detecting an attack in a computer network comprising a plurality of computers.
  • the analysis system 100 comprises a receiving module 201 , a comparison module 203 and an output module 205 .
  • a plurality of warning messages 102 are received from the computers, the warning messages being based on different types of anomalies in the computer network in the illustration of FIG. 1 .
  • a number or fraction of the warning messages 204 from the plurality of received warning messages is compared with a predetermined event threshold, the number or fraction of the warning messages 204 being based on a single type of anomaly in the computer network, for example the fourth type 114 , as shown in FIG. 1 .
  • an alarm signal 108 is outputted if the number of warning messages based on the same type of anomaly in the computer network, in other words a result 206 of the comparison module 203 , falls below the event threshold.
  • the analysis system 200 may automatically correlate a large number of received warning messages and analyse them for the presence of an anomaly and thus of a possible indicator of an attack.
  • a data source for example purposefully selected log data or alternatively a previously installed SIEM system may be used.
  • the purpose of the analysis is to reduce the volume of available data by particular analysis methods and prepare it in the form of events in such a way that a specialist is able to detect potential attacks on the basis of the analysed log data.
  • the underlying automated analysis method is based on searching for unfamiliar and rarely occurring events. The frequency of occurrence of a particular (or comparable) event in a particular time period is directly correlated with its “familiarity”. Frequently occurring events thus tend to be classified as familiar and are therefore irrelevant. By contrast, rarely occurring events tend to be unfamiliar and thus potentially more relevant.
  • a probability value for the presence of an attack is calculated and, in the event of exceeding a particular threshold, correlated with an event and prepared for analysis. In essence, this is thus a frequency analysis of events based on a particular time period.
  • the parameter adjustments which are ultimately also decisive for positive anomaly detection, can be carried out semi-automatically by the analysis system 200 . Methods from the field of artificial intelligence may be used for this purpose, the analysis system 200 being able to make specific suggestions to the user/analyst, for example for adjusting a particular threshold.
  • the suggestions may be made, among other things, on the basis of user feedback and varying constraints, such as established changes in the network architecture or predictable changes in the number of active network subscribers, for example during holiday time.
  • a decision made by the user or analyst on a provided suggestion may in turn influence future suggestions.
  • FIG. 3 is a schematic illustration of a further embodiment of an analysis system 300 for detecting an attack in a computer network comprising a plurality of computers.
  • the analysis system 300 comprises a receiving module 301 , a classification module 309 , a comparison module 305 and an output module 307 .
  • a plurality of warning messages 102 are received from the computers, the warning messages being based on different types of anomalies in the computer network in accordance with the illustration in FIG. 1 .
  • the plurality of warning messages may be received in a predetermined time interval, for example 1 second, 1 minute, 5 minutes, 30 minutes or 1 hour.
  • one or more of the following systems may be used, which may for example be installed on one or more of the computers of the computer network: a virus scanner, a proxy server, an IDS (intrusion detection system), a firewall, an operating system, a log management system, an SIEM system (security information and event management system).
  • the plurality of warning messages are classified by the type 310 of anomaly indicated by a respective warning message.
  • the warning messages 304 are divided into different classes, which are associated with a type 310 of anomaly in the computer network, and passed on to the comparison module 305 .
  • the plurality of warning messages can thus be classified by the type of anomaly indicated by a respective warning message.
  • the type of anomaly indicated by a warning message may for example be determined on the basis of the content of the warning message, for example by evaluating a data field such as a header or a payload in the warning message.
  • a number or fraction of the warning messages from the plurality of received warning messages is compared with a predetermined event threshold, the number or fraction of the warning messages being based on a single type of anomaly in the computer network, for example the fourth type 114 , as shown in FIG. 1 .
  • the respective numbers or fractions of the warning messages correspond to the classes into which the warning messages were classified by the classification module 309 .
  • the comparison module may for example carry out the comparison in a predetermined time interval so as to have a reference.
  • the comparison may for example be carried out by counting the received warning messages which are classified as the same type, for example by counting within a predetermined time interval. If the warning messages thus counted within the predetermined time interval fall below the event threshold, the output module 307 can be instructed to output the alarm signal 108 , for example by way of the result 306 of the comparison.
  • the alarm signal 108 is outputted if the number of warning messages based on the same type 310 of anomaly in the computer network, in other words the number of warning messages assigned to a particular class, falls below the event threshold.
  • the output module 307 may determine a probability value for the presence of an attack on the computer network, for example on the basis of an analysis of the number or fraction of the warning messages which fall below the event threshold.
  • the probability value may further be determined on the basis of one or more of the following predetermined parameters: blacklists, whitelists, thresholds, event correlations, and definition of threat potentials of individual user groups of the computer network.
  • the probability value for the presence of an attack on the computer network may further be determined on the basis of a number of visitors to the computer network, in particular of a number of visitors to a Web page of the computer network, as is described in greater detail below in relation to FIG. 4 .
  • the probability value for the presence of an attack on the computer network may further be determined on the basis of a frequency of rarely executed processes in the computer network, as is described in greater detail below in relation to FIG. 5 .
  • the probability value for the presence of an attack on the computer network may further be determined on the basis of a frequency of programs which are carried out on a predetermined group of the plurality of computers in the computer network, in particular on the basis of a frequency of programs which have only been executed on the predetermined group of computers since a predetermined time, as is described in greater detail below in relation to FIG. 5 .
  • the analysis system 300 may further comprise an adjustment module (not shown in FIG. 3 ), by means of which the event threshold can be adjusted on the basis of the fraction of warning messages of which the number falls below the event threshold.
  • an adjustment module (not shown in FIG. 3 ), by means of which the event threshold can be adjusted on the basis of the fraction of warning messages of which the number falls below the event threshold.
  • a suggestion to adjust the event threshold may be made which may be based on the number of warning messages which fall below the event threshold.
  • the suggestion may further be based on user feedback and/or changes in the network architecture of the computer network, in particular changes in the number of computers in the computer network.
  • the event threshold may be adjusted adaptively, for example as a function of at least one of the following events: user feedback, changes in the network architecture of the computer network, changes in the number of computers in the computer network.
  • FIG. 4 is a schematic illustration of a scenario 400 of an attack on an Internet Web page 411 of a computer network 410 , an analysis system 200 , 300 detecting the attack.
  • the attack originates from a small group of visitors 420 to the Internet Web page 411 .
  • the analysis system 200 , 300 may correspond to the systems described in FIG. 2 or FIG. 3 .
  • the analysis system 200 may comprise a receiving module 201 , a comparison module 203 and an output module 205 .
  • a receiving module 201 a plurality of warning messages 102 are received by the computers, the warning messages being based on different types of anomalies in the computer network in accordance with the illustration in FIG. 1 .
  • a comparison module 203 a number or fraction of the warning messages from the plurality of received warning messages is compared with a predetermined event threshold, the number or fraction of the warning messages being based on a single type of anomaly in the computer network.
  • an alarm signal 108 is outputted if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • the analysis system 200 , 300 In the following, a mode of operation of the analysis system 200 , 300 is described. If many different visitors visit a particular system on the Internet, for example a Web page 411 , this process is presumed to be non-critical. However, if the system is merely addressed by a small user group 420 , a C2 server could potentially be involved. If in addition the relevant users are a particular group of people having an increased threat potential, the analysis system 200 , 300 generates an event or an alarm signal 108 which can subsequently be analysed by a specialist.
  • FIG. 5 is a schematic illustration of a scenario 500 of a virus attack on a group of networked computers of a company's internal computer network 510 , an analysis system 200 , 300 detecting the attack.
  • the analysis system 200 , 300 may correspond to the systems described in FIG. 2 or FIG. 3 .
  • the analysis system 200 may comprise a receiving module 201 , a comparison module 203 and an output module 205 .
  • a receiving module 201 a plurality of warning messages 102 are received from the computers, the warning messages being based on different types of anomalies in the computer network in accordance with the illustration in FIG. 1 .
  • a comparison module 203 a number or fraction of the warning messages from the plurality of received warning messages is compared with a predetermined event threshold, the number or fraction of the warning messages being based on a single type of anomaly in the computer network.
  • an alarm signal 108 is outputted if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • FIG. 6 is a schematic illustration of a method 600 for detecting an attack on a computer network in accordance with an embodiment.
  • the method 600 comprises receiving 601 a plurality of warning messages from the computers, the warning messages being based on various types of anomalies in the computer network.
  • the method 600 comprises comparing 603 a number or fraction of the warning messages from the plurality of received warning messages with a predetermined event threshold, the number or fraction of the warning messages being based on a single type of anomaly in the computer network.
  • the method 600 comprises outputting 605 an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • the method 600 may comprise receiving the plurality of warning messages in a predetermined time interval. In an embodiment, the method 600 may comprise classifying the plurality of warning messages by the type of anomaly indicated by a respective warning message. In an embodiment, the method 600 may comprise determining the type of anomaly indicated by a warning message on the basis of the content of the warning message. In an embodiment, the method 600 may comprise counting the received warning messages which are classified as the same type in the predetermined time interval; and outputting the alarm signal if the number of warning messages counted in the predetermined time interval falls below the event threshold. In an embodiment, the method 600 may comprise determining a probability value for the presence of an attack on the computer network on the basis of the number of warning messages which fall below the event threshold.
  • the method 600 may comprise determining the probability value for the presence of an attack on the computer network, further on the basis of at least one of the following predetermined parameters: blacklists, whitelists, thresholds, event correlations, and definition of threat potentials of individual user groups of the computer network.
  • the method 600 may comprise determining the probability value for the presence of an attack on the computer network, further on the basis of a number of visitors to the computer network, in particular of a number of visitors to a Web page of the computer network.
  • the method 600 may comprise determining the probability value for the presence of an attack on the computer network, further on the basis of a frequency of rarely executed processes in the computer network.
  • the method 600 may comprise determining the probability value for the presence of an attack on the computer network, further on the basis of a frequency of programs which are being executed on a predetermined group of the plurality of computers in the computer network, in particular on the basis of a frequency of programs which have only been executed on the predetermined group of computers since a predetermined time.
  • the method 600 may comprise using one or more of the following systems on at least one of the plurality of computers to generate the warning messages: virus scanner, proxy server, IDS (intrusion detection system), firewall, operating system, log management system, SIEM system (security information and event management system).
  • the method 600 may comprise adjusting the event threshold on the basis of the number of warning messages which fall below the event threshold.
  • the method 600 may comprise making a suggestion to adjust the event threshold on the basis of the number of warning messages which fall below the event threshold and further on the basis of user feedback and/or changes in the network architecture of the computer network, in particular changes in the number of computers in the computer network.
  • the method 600 may comprise adaptively adjusting the event threshold, for example as a function of at least one of the following events: user feedback, changes in the network architecture of the computer network, changes in the number of computers in the computer network.
  • An aspect of the invention also comprises a computer program product which can be loaded directly onto the internal memory of a digital computer and which comprises software code portions by means of which the method 600 described in relation to FIG. 6 can be executed when the product runs on a computer.
  • the computer program product may be stored on a computer-compatible medium and comprise the follow: computer-readable program media which cause a computer to receive 601 a plurality of warning messages from the computers, the warning messages being based on different types of anomalies in the computer network; to compare 603 a number of warning messages from the plurality of received warning messages with a predetermined event threshold, the number of warning messages being based on a single type of anomaly in the computer network; and to output 605 an alarm signal if the number of warning messages based on the same type of anomaly in the computer network falls below the event threshold.
  • the computer may be a PC, for example a PC of a computer network.
  • the computer may be implemented as a chip, an ASIC, a microprocessor or a signal processor and be arranged in a computer network, for example a computer network as described in FIG. 4 or FIG. 5 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
US14/801,913 2014-07-18 2015-07-17 Method for detecting an attack in a computer network Active 2035-09-01 US9900327B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP14177647.6A EP2975801B1 (de) 2014-07-18 2014-07-18 Verfahren zum Erkennen eines Angriffs in einem Computernetzwerk
EP14177647.6 2014-07-18
EP14177647 2014-07-18

Publications (2)

Publication Number Publication Date
US20160021128A1 US20160021128A1 (en) 2016-01-21
US9900327B2 true US9900327B2 (en) 2018-02-20

Family

ID=51212712

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/801,913 Active 2035-09-01 US9900327B2 (en) 2014-07-18 2015-07-17 Method for detecting an attack in a computer network

Country Status (7)

Country Link
US (1) US9900327B2 (zh)
EP (1) EP2975801B1 (zh)
JP (1) JP6442051B2 (zh)
CN (1) CN106537872B (zh)
CA (1) CA2954552C (zh)
PL (1) PL2975801T3 (zh)
WO (1) WO2016008778A1 (zh)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102018212657A1 (de) * 2018-07-30 2020-01-30 Robert Bosch Gmbh Verfahren und Vorrichtung zum Erkennen von Unregelmäßigkeiten in einem Rechnernetz
EP3805928A4 (en) * 2018-10-11 2022-03-16 Nippon Telegraph And Telephone Corporation ANALYSIS DEVICE, ANALYSIS SYSTEM, ANALYSIS METHOD AND PROGRAM
FR3095313A1 (fr) * 2019-04-18 2020-10-23 Orange Procédé et dispositif de traitement d’un message d’alerte notifiant une anomalie détectée dans un trafic émis via un réseau
CN112104480B (zh) * 2020-08-05 2022-10-21 福建天泉教育科技有限公司 提高告警质量的方法及其系统
US11799879B2 (en) 2021-05-18 2023-10-24 Bank Of America Corporation Real-time anomaly detection for network security
US11588835B2 (en) 2021-05-18 2023-02-21 Bank Of America Corporation Dynamic network security monitoring system
US11792213B2 (en) 2021-05-18 2023-10-17 Bank Of America Corporation Temporal-based anomaly detection for network security
CN114024831B (zh) * 2021-11-08 2024-01-26 中国工商银行股份有限公司 一种异常事件预警方法、装置和系统
CN114567482A (zh) * 2022-02-28 2022-05-31 天翼安全科技有限公司 一种告警分类方法、装置、电子设备及存储介质
CN115118463A (zh) * 2022-06-10 2022-09-27 深信服科技股份有限公司 一种失陷主机检测方法、装置、电子设备及存储介质
CN114978778B (zh) * 2022-08-01 2022-10-28 北京六方云信息技术有限公司 基于因果推断的多步攻击检测方法、装置及设备

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
US20080209517A1 (en) * 2007-02-27 2008-08-28 Airdefense, Inc. Systems and methods for generating, managing, and displaying alarms for wireless network monitoring
WO2013016245A1 (en) 2011-07-22 2013-01-31 Anne-Marie Turgeon Systems and methods for network monitoring and testing using intelligent sequencing

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0334039A (ja) * 1989-06-30 1991-02-14 Nec Corp ネットワーク管理における障害メッセージ管理方式
WO1999050750A1 (fr) * 1998-04-01 1999-10-07 Hitachi, Ltd. Procede et dispositif de production de messages et support d'enregistrement servant a stocker un programme de production de messages
JP2000148276A (ja) * 1998-11-05 2000-05-26 Fujitsu Ltd セキュリティ監視装置,セキュリティ監視方法およびセキュリティ監視用プログラム記録媒体
JP2001356939A (ja) * 2000-06-13 2001-12-26 Tokyo Electric Power Co Inc:The ログ情報解析装置、方法および記録媒体
JP4619254B2 (ja) * 2005-09-30 2011-01-26 富士通株式会社 Idsのイベント解析及び警告システム
CN1848765A (zh) * 2006-03-10 2006-10-18 四川大学 基于免疫的网络入侵危险性评估方法
US8504504B2 (en) * 2008-09-26 2013-08-06 Oracle America, Inc. System and method for distributed denial of service identification and prevention
CN101399672B (zh) * 2008-10-17 2011-03-02 章毅 一种多神经网络融合的入侵检测方法
JP5264470B2 (ja) * 2008-12-26 2013-08-14 三菱電機株式会社 攻撃判定装置及びプログラム
JP5066544B2 (ja) * 2009-03-31 2012-11-07 株式会社富士通ソーシアルサイエンスラボラトリ インシデント監視装置,方法,プログラム
KR101061375B1 (ko) * 2009-11-02 2011-09-02 한국인터넷진흥원 Uri 타입 기반 디도스 공격 탐지 및 대응 장치
CN101741847B (zh) * 2009-12-22 2012-11-07 北京锐安科技有限公司 一种ddos攻击检测方法
FI20096394A0 (fi) * 2009-12-23 2009-12-23 Valtion Teknillinen Tunkeutumisen havaitseminen viestintäverkoissa
US9503463B2 (en) * 2012-05-14 2016-11-22 Zimperium, Inc. Detection of threats to networks, based on geographic location
CN103856455A (zh) * 2012-12-04 2014-06-11 中山大学深圳研究院 一种保护计算机网络避免数据洪水攻击的方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
US20080209517A1 (en) * 2007-02-27 2008-08-28 Airdefense, Inc. Systems and methods for generating, managing, and displaying alarms for wireless network monitoring
WO2013016245A1 (en) 2011-07-22 2013-01-31 Anne-Marie Turgeon Systems and methods for network monitoring and testing using intelligent sequencing

Also Published As

Publication number Publication date
PL2975801T3 (pl) 2017-07-31
WO2016008778A1 (de) 2016-01-21
EP2975801B1 (de) 2016-06-29
CN106537872A (zh) 2017-03-22
EP2975801A1 (de) 2016-01-20
CN106537872B (zh) 2020-11-24
JP2017528853A (ja) 2017-09-28
JP6442051B2 (ja) 2018-12-19
CA2954552C (en) 2019-08-20
US20160021128A1 (en) 2016-01-21
CA2954552A1 (en) 2016-01-21

Similar Documents

Publication Publication Date Title
US9900327B2 (en) Method for detecting an attack in a computer network
US10467411B1 (en) System and method for generating a malware identifier
EP3253018B1 (en) Network intrusion detection based on geographical information
US9378361B1 (en) Anomaly sensor framework for detecting advanced persistent threat attacks
US10686814B2 (en) Network anomaly detection
US7228564B2 (en) Method for configuring a network intrusion detection system
KR100800370B1 (ko) 어택 서명 생성 방법, 서명 생성 애플리케이션 적용 방법, 컴퓨터 판독 가능 기록 매체 및 어택 서명 생성 장치
US7526806B2 (en) Method and system for addressing intrusion attacks on a computer system
US20040103021A1 (en) System and method of detecting events
US11075930B1 (en) System and method for detecting repetitive cybersecurity attacks constituting an email campaign
EP2366241B1 (en) Network analysis
US11405411B2 (en) Extraction apparatus, extraction method, computer readable medium
CN114006722B (zh) 发现威胁的态势感知验证方法、装置及系统
CN114301700A (zh) 调整网络安全防御方案的方法、装置、系统及存储介质
EP3278536A1 (en) Network operation
CN114189361B (zh) 防御威胁的态势感知方法、装置及系统
CN114301796B (zh) 预测态势感知的验证方法、装置及系统
US20230283621A1 (en) Systems, Methods, and Media for Distributed Network Monitoring Using Local Monitoring Devices
CN114205169A (zh) 网络安全防御方法、装置及系统
CN114172881A (zh) 基于预测的网络安全验证方法、装置及系统
EP3275148A1 (en) Optimizing data detection in communications
CN114338189B (zh) 基于节点拓扑关系链的态势感知防御方法、装置及系统
US20220239634A1 (en) Systems and methods for sensor trustworthiness
Asgharian et al. Intrusion Response System for SIP based Applications with Engineered Feature Set
IDRIS et al. INTRUSION PREVENTION SYSTEM: A SURVEY

Legal Events

Date Code Title Description
AS Assignment

Owner name: DEUTSCHE TELEKOM AG, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KLOTH, MATHIAS;WESTPHALEN, MICHAEL;SIGNING DATES FROM 20150714 TO 20150720;REEL/FRAME:036234/0294

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4